Hello group, as an exercise I went ahead and extended the SslFilter with support for HTTP Strict Transport Security (HSTS).
At least I think I did. Not that familiar with the internals. I overrided the method postHandle in SslFilter to add the header. Is this the correct place? Or say the correct place in general to add headers in filters? HTTP Strict Transport Security (HSTS) would be a nice addition for all the SSL only sites out there. I think in recent years more and more pages have gone full SSL, with good reasons to do so. It is a bit problematic with SslFilter since this one is path based. If you go HSTS then everything on the site uses https. This might break thinks if you have a path with ssl and one without. You can do that with shiro but not with HSTS. You can have a look at the current code here: https://github.com/raupachz/shiro/blob/hsts/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java <https://github.com/raupachz/shiro/blob/hsts/web/src/main/java/org/apache/shiro/web/filter/authz/SslFilter.java> Thanks in advance /Björn
